b'                           UNCLASSIFIED\n\n      United States Department of State\n\n    and the Broadcasting Board of Governors\n\n          Office of Inspector General\n\n\n\n\n\n       Information Technology\n\n        Memorandum Report\n\n\n\nReview of the Information\n\n Security Program at the\n\n  Broadcasting Board of\n\n       Governors\n\n\nReport Number IT-I-05-10, September 2005\n\n\n\n\n                              IMI\'oIHANT NOTICE\n\nThis report is intended solely for the official use of Ihe Departillent of Stale or the\nBroadcasting Board ofGovcmors, or any agency or organization receiving a copy\ndirectly from the Office of Jllspcctor General. No secondary distribution may be\nmade, in whole or in pari, outside the Department of State or the Broadcasting\nBoard of Governors, by them or by other agencies or organizations, without prior\nauthorization by the Inspector General. Public availability orthe document will\nbe determined by the Inspector General under the U.S. Code, 5 U.S.c. 552.\nImproper disclosure of this report may result in criminal, civil, or administrative\npenalties.\n\n\n\n                           UNCLASSIFIED\n\n\x0c                                                         l nilM SlaiN Del)arll11Cnl or Siall\'\n                                                         and Ihe Broadn ling Board or Co\\emon\n\n                                                         IftJpector GfI\'ftPrnl\n\n\n\n\n                                           PRFfACE\n\n\n     This repon was prepared by the Office:\' of Inspector General (OIG) pursuanlto the\nInspector General Act of 1978, as amended. and Section 209 of the ForeIgn SerVIce Act of\n1980. as amended. It IS one of a series of audit. lllspectlon. In\\\'estlgatl\\e. and special repons\nprepared by OIG penO(lIcall} as pan of its responsibility to promote elTcclive management.\naccountabililY. and POSltl\\ c change in the Department of State and the Broadcaslmg Board of\nGo\\emors,\n\n     This report is the resuh of an assessment of the strengths and \\\\e:\'al.:nesses of the office. post.\nor function under fe\\ ie" It IS based on inte"ie"s "lIh employees and onicia1s of rele\\ant\nagencies and mStlUnlons, direct obscn ation. and a re\\ 11..\'\\\\ of applicable documents.\n\n      The recommendations Iherem have been de\\\'elopcd on Ihe basiS oflhe best kno.... ledge\na\\ ailable to the DIG and. as appropriate. ha\\\'e been diScussed in draft \\\\llh those responsible for\nImplementatlon, It IS rn) hope that these recommendallons will result In more etTecme.\neffiCient. and or economical operations,\n\n     I e"press my appreciation to all of those who comnbuted 10 the preparation orthls report\n\n\n\n\n                                          ~" ~                \\ \\<v;-            ,\\\n                                             Howard J Krongard\n                                             lnspeclor General\n\x0c                                                     Introduction\n\n        In response 10 the Federal Information Security Management Act of 2002 (FlSMA), I the\nOffice of Inspector General (DIG) performed an independent review of the information security\nprogram of the Broadcasting Board of Governors (BBG). FlSMA provides a comprehensive\nframework for establishing and ensuring the effectiveness of controls over information\ntechnology (IT) resources that support federal operations and assets and a mechanism for\nimproved oversight of federal agency information security programs. In addition, Office of\nManagement and Budget COMB) implementation guidance for FISMA requires DIGs to assess\ndevelopment, implementation, and management of the agency-wide plan of action and\nmilestones (POA&M) process and to focus on performance measures. The specific objectives of\nOIG\'s review were to assess BBG\'s progress in developing its information security program and\npractices as they relate to FlSMA and determine BRG\'s processes for implementing the\nrequirements of the law.\n\n        To fulfill the review objectives, DIG held discussions with BBG officials from the\nInternational Broadcasting Bureau (IBB), Office of Cuba Broadcasting (OCB), and the\ntransmitting station in Botswana. DIG did not conduct a review of BBG\'s grantee organizations:\nRadio Free Europe/Radio Liberty (RFE/RL), Radio Free Asia (RFA), Middle East Broadcasting\nNetworks (MBN), and Radio Farda-a special project in conjunction with Voice of America\n(YOA).\n\n        In addition to discussions with BBG management and staff, DIG selected a subset of\nsystems and performed a detailed analysis of risk assessments and security plans as well as\nPOA&M documentation and certification and accreditation packages. The subset consisted of\nthe Central InfrastrucfUre Domain, Central Services Domain, Central Extranet Domain, Cuba\nBroadcasting Headquarters Network, Botswana Transmitting Station Network, and the Public\nInternet Web Site. OIG held discussions with the managers of these systems to verify the\nprocesses and procedure.."i employed in development and submission of FISMA documentation.\nDIG collected other relevant supporting IT documentation as appropriate.\n\n         DIG\'s Office of Information Technology performed this review from July 2005 through\nthe first week of September 2005. Major contributors to this report were Mary S. Heard and\nMatthew J. Ragnelli. Comments or questions about the repon may be directed to Ms. Heard at\nheardm@state.govor(703) 284-2656.\n\n\n\n\nI   P.L. 107-347. Tille 111;44 U.S.c. 3541 Q!li\xc2\xa3R.\n\x0c                                            Results in Brief\n        DIG\'s evaluation of the BBO\'s information security program concluded that BBG has\nmade progress in the past year in meeting FISMA requirements and is adjusting well to last\nyear\'s reorganization of IT operations (see Appendix A). BBG added a 25th system to its major\nsystems inventory and categorized all of the systems based on risk impact levels as required by\nFederal Information Processing Standards (FIPS) Publication 199. BBG completed certification\nand accreditation for 28 percent (7 of 25) of its major systems. Ninety-two percent (23 of 25) of\nthe major systems have risk assessments, system security plans, and POA&Ms. Also, BBG\ndeveloped agency-wide POA&Ms to address findings reported in previous 010 FISMA reviews\nand site inspections. Lastly, BBG deployed a new security awareness training program for FY\n2005 that has had positive reviews.\n\n\n\n\n                  BSG\'s method of tracking POA&Ms is cumbersome and has resulted in lapsed\nmilestones. Finally, SSG has not completed development of an agency~wide enterprise\narchitecture, a recommendation from last year\'s OIG report and a requirement since 2002. BBG\nconcurred with OIG\'s recommendations and is moving forward to implement the\nrecommendations. SSG\'s comments on a draft of the report are reproduced in Appendix B.\n\n\n\n\n                                             Background\n       The U.S. International Broadcasting Act of 1994 2 created SSG as a self-governing\nelement within the former United States Information Agency, which provided limited\nadministrative, technical, and management SUppOl1 to SSG. The Foreign Affairs Reform and\nRestructuring Act of 1998 3 granted SBG independence from United States Infomlation Agency\non October I, 1999. With the exception of limited Department of State broadcasting, BSG is\nresponsible for overseeing all U.S. government-funded civilian broadcasting, induding the\noperations of IBB, which includes VOA and OCB. BBG also oversees four grantee\norganizations: RFElRL, RFA, MBN, and Radio Farda, a joint effort of RFE/RL and VOA that\ncomplements VOA\'s Persian-language radio and television broadcasts into Iran.\n\n        Information security is an imporlant consideration for any organization that depends on\ninformation systems and information networks to carry out its mission. The dramatic expansion\nand rapid increase in the use of the Internet has changed the way the U.S. government, private\nsector, and much of the world communicate and conduct business. However, without proper\nsafeguards, this widespread interconneclivity poses significant risks to the infrastructure it\nsupports and makes it easier and relatively inexpensive for individuals and groups to eavesdrop\non government operations, obtain sensitive information, commit fraud, disrupt operations, or\nlaunch attacks against other information networks and systems. The war on terrorism and recent\n\n2   P.L. 103-236. Title III. Sec. 301 ~~.\n3   P.L. 105-277.\n\n\n                                                                                                  2\n\x0cterrorist attacks underscore the need to maintain information security in order to continue\nprogram broadcasting to BBG audiences relying on impartial reports via satellite television and\nradio. These transmissions can be direct to home, to affiliates for rebroadcast, or to IBB-owncd\nstations and frequencies for broadcasting. U.S. broadcasting initiatives, which use information\nsystems and information networks to complete their mission, counter the efforts of local and\nstate-sponsored newspapers and broadcasters that portray the United States as anti-Muslim.\n\n       Faced with continued concerns about information security risks to the federal government,\nCongress passed and the President signed FlSMA into law in December 2002. The law provides a\ncomprehensive framework for establishing and ensuring the effectiveness of controls over\ninformation resources that support federal operations and assets and a mechanism for improving\noversight of federal agency information security programs. Also, FISMA and OMB\nimplementation guidance specifically:\n\n           \xe2\x80\xa2\t require agency OIGs to assess the development, implementation, and management of\n              the agency POA&M process;\n           \xe2\x80\xa2\t require agency development of minimum standards for agency systems;\n           \xe2\x80\xa2\t introduce a statutory definition for information security;\n           \xe2\x80\xa2\t define agency IT security responsibilities; and\n           \xe2\x80\xa2\t broaden the scope of the Clinger-Cohen Act 4 to include federal information systems\n              used or operated by contractors acquired for Lise on federal contracts.\n\nFISMA and OMS implementation guidance also require that each agency:\n\n           \xe2\x80\xa2\t develop and maintain a major information systems inventory;\n           \xe2\x80\xa2\t develop system configuration requirements;\n           \xe2\x80\xa2\t perform annual periodic testing and evaluation of systems;\n           \xe2\x80\xa2\t include provisions for continuity of operations in its security program;\n           \xe2\x80\xa2\t have a qualified senior agency information security officer report to the Chief\n              Information Officer (CIO); and\n           \xe2\x80\xa2\t send annual reports to OMB and various congressional committees.\n\n\n                     Overview of BBG\'s Information Security Program\n        In February 200 I, DIG found that BBG did not have a documented information security\nprogram or wrillen policies and procedures covering information security. During 200 I, BBG\'s\nsenior management began taking actions to develop its IT security program by appointing a CIO\nwho drafted a framework for the BBG information security program and started developing\nsecurity plans to protect BBG\'s mission-critical systems. During its 2002 Government\nInformation Security Reform Act (GISRA) evaluation,5 OIG noted thai BBG was making\nprogress in developing its agency-wide information security program by completing program\xc2\xad\nlevel self-assessments and documenting the results in its quarterly reporting of the agency\'s\n\n4 1nfonllation Technology Management Reform Act of 1996. P.L. 104-106, Div. E: 40 U.S.c. 11101 el seq.\n5   Infurmation Security Progrmn Evaluation: Broadcasting Board of GOI\'emors (IT-A-02-07. Sept. 2(02).\n\n\n                                                                                                         3\n\x0cPOA&M to OMB. DIG\'s 2003 FISMA evaluation6 reported that BSG had made limited\nprogress in complying with the requirements of FISMA.\n\n        In April 2004, Congress approved, and on May 30, 2004, SBG implemented, a\nreorganization consolidating all IT functions into a common program area, the Office of\nEngineering and Technical Services. BBG designated the director of this office as the Chief\nTechnology Officer (CTO) and appointed a Chief Information Security Officer (CISO). To meet\n2004 FISMA requirements, BBG defined 24 major systems, performed risk assessments, and\ndeveloped general support system and major application system security plans, operating system\nsecurity configuration standards, and patch management policies. Additionally, BBG developed\nan agency-wide incident response plan, an IT security awareness training program, and\nPOA&Ms for ten of its 24 major systems. Despite the progress, DIG found that BSG did not\nhave an enterprise architecture or capital planning and investment control process in place, and\ntransmitting stations Overseas were not receiving sufficient guidance for meeting FISMA\nrequiremems.\n\n       DIG closed II of its 12 recommendations from the GlSRA 2002 and FISMA 2003 and\n2004 evaluations. BBG continues to work toward closing the remaining recommendations by\nimplementing actions designed to improve the overall information security program, including\ndevelopment of an agency-wide enterprise architecture.\n\n\n                                                Review Findings\n\n         BBG continues to make progress in developing its information security program to meet\nFISMA requirements after consolidating disparate units under one IT authority. BSG\'s\ncontinued efforts 10 respond to FISMA reporting requirements, as well as DIG\'s inspection work\nat the transmining station in Botswana, have revcaled additional areas where BBG is considering\nreorganizing IT operations to improve information security and compliance with FISMA. OIG\nsupports BSG\'s progress in developing its information security program and encourages BSG\nsenior management and staff to continue developing the program to comply with FlSMA\nrequirements and National Institute of Standards and Technology (NIST) guidance.\n\nProgress in Meeting FISMA Requirements\n\n        In the FY 2002 GISRA evaluation, DIG disagreed with BBG\'s approach in grouping all\nsystems within five functional areas because this organizational structure did not meet GISRA\nsecurity requirements. During the FISMA evaluation of BBG in FY 2003, OIG reported that the\nBBG CIO had neither the time nor the IT qualifications to carry out the CIO\'s role and had not\nassigned a senior agency information security officer and information system security officers.\nAlso during FY 2003, fEB\'s director noted several IT operational deficiencies and areas for\nimprovement and hired a contractor to perform an independent review of BBG \'s IT services,\nmanagement, and operations. The independent review identified a lack of effective\ncommunication and collaboration among program areas and recommended a restructuring of\nBBG\'s IT organization.\n\n6   Review of rhe Informarion SeCilrity Program ar Broadcasring Board of Gor(\'/"Ilors (IT-A-03-14, Sept. 2003).\n\n\n                                                                                                                  4\n\x0c        In April 2004, Congress approved, and on May 30, 2004, BBG implemented, a\nreorganization of its IT management structure, responsibilities, and functions by consolidating\noverall IT program management under the Office of Engineering and Technical Services. BBG\nnamed the director of the Office of Engincering and Technical Services as the CTO, with\nresponsibility for all engineering and transmission service functions, and added a new\nconsolidated Information Technology Directorate. BBG appointed a qualitlcd CIO and CTO to\ndirect and oversee a broad range of statutory functions, including meeting the FISMA\nrequirements. The CIO repons directly to the Board of Governors on all IT mailers. Lastly,\nBBG created and the CIO tilled the CISO position that repons dircctly to the CIO and is\nresponsible for oversceing and participating in planning, assessing, and testing of IT operations\nand ensuring compliance with FISMA.\n\n        During FY 2004, BBG took stcps to meet FISMA and NIST guidance for developing an\nagency-wide IT security program. BBG defined 24 major systems under the Office of\nEnginecring and Technical Services. Additionally, BBG developed operating system security\nconfiguration management policy for many of its operating systems, an incident response plan\nfor use at headquarters, and an IT security awareness training program. SSG performed risk\nassessments and developed security plans and POA&Ms for ten of its 24 major systems. SSG\ndeveloped a program action plan to address the lack of documentation at transmitting stations,\ncontinuity of operations plans, certification and accreditation, training of the IT support staff,\nPOA&Ms, and vulnerability and penetration testing.\n\n       During FY 2005, SSG added a system to its list of major systems to bring the total to 25,\nand made significant progress in meeting FISMA requirements, as shown in Appendix A. BBG\nassessed and categorized all of its systems based on risk impact levels as required by BPS 199.\nBBG completed certification and accreditation for seven of the 25 major systems. Risk\nassessments, system security plans, and POA&Ms were completed for 23 of the 25 major\nsystcms. SBG developed an agency-wide POA&M to address findings reported in previous OIG\nFISMA reviews and site inspections. Lastly, BBG deployed a new security awareness training\nprogram for FY 2005 that has had positive reviews.\n\nCentralizing Management of Transmitting Station Systems\n\n       Despite the progress made toward improving its overall information security program and\nmeeting FISMA requirements,(b) (2)(b) (2)(b) (2)(b) (2)(b) (2)(b) (2)(b) (2)(b) (2)\n(b) (2)(b) (2)(b) (2)(b) (2)(b) (2)(b) (2)(b) (2)(b) (2)(b) (2)(b) (2)(b) (2)(b) (2)(b) (2)\n(b) (2)(b) (2)(b) (2)(b) (2)(b) (2)(b) (2)(b) (2)(b) (2)(b) (2)(b) (2)(b) (2)\n(b) (2)(b) (2)(b) (2)(b) (2)(b) (2)(b) (2)(b) (2)(b) (2)(b) (2)(b) (2)(b) (2)(b) (2)(b) (2)\n(b) (2)(b) (2)(b) (2)(b) (2)(b) (2)(b) (2)(b) (2)(b) (2)(b) (2)(b) (2)(b) (2)(b) (2)(b) (2)\n(b) (2)(b) (2)(b) (2)(b) (2)(b) (2)(b) (2)(b) (2)(b) (2)(b) (2)(b) (2)(b) (2)(b) (2)\n(b) (2)(b) (2)(b) (2)(b) (2)(b) (2)(b) (2)(b) (2)(b) (2)(b) (2)(b) (2)(b) (2)(b) (2)(b) (2)\n(b) (2)(b) (2)(b) (2)(b) (2)(b) (2)(b) (2)(b) (2)(b) (2)(b) (2)(b) (2)(b) (2)(b) (2)\n(b) (2)(b) (2)(b) (2)(b) (2)(b) (2)(b) (2)(b) (2)(b) (2)(b) (2)(b) (2)(b) (2)(b) (2)(b) (2)\n(b) (2)(b) (2)(b) (2)\n\n\n\n\n                                                                                                     5\n\n\x0c        System managers perform the risk assessments that identify potential vulnerabilities and\ncreate the system security plans and POA&Ms that outline their methodology for mitigating\nidentified risks. The resulting documentation, as well as an independent security assessment, is\nincluded in system managers\' application packages for certification and accreditation. If the\ninformation that is input into this process from the initial stages is inaccurate or incomplete, the\nCTO will be making an uninformed decision when accrediting systems.\n\n\n\n\n          Recommendation I: The Chairman, Broadcasting Board of Governors should direct the\n          Chief Technology Officer to centralize, at Washington, DC headquarters, the\n          management of computer networks located at transmitting stations overseas.\n\n Implementing Minimum Standard Security Controls\n\n        BBG\'s current agency-wide security configuration policy is established and available to\nsystem managers on the computer security portion of their intranet site, which includes security\nconfiguration guides for the operating systems in use at BBG, except for Windows Server 2003.\nwhich is under development. BBG\'s security configuration methodology establishes a minimum\nbaseline for security controls, with the expectation that system managers are to implement\nadditional controls as necessary to ensure adequate protection of information systems.\n\n        (b) (2)(b) (2)(b) (2)(b) (2)(b) (2)(b) (2)(b) (2)(b) (2)(b) (2)(b) (2)(b) (2)(b) (2)\n(b) (2)(b) (2)(b) (2)(b) (2)(b) (2)(b) (2)(b) (2)(b) (2)(b) (2)(b) (2)(b) (2)(b) (2)\n(b) (2)(b) (2)(b) (2)(b) (2)(b) (2)(b) (2)(b) (2)(b) (2)(b) (2)(b) (2)(b) (2)(b) (2)(b) (2)\n(b) (2)(b) (2)(b) (2)(b) (2)(b) (2)(b) (2)(b) (2)(b) (2)(b) (2)(b) (2)(b) (2)(b) (2)(b) (2)\n(b) (2)(b) (2)(b) (2)(b) (2)(b) (2)(b) (2)(b) (2)(b) (2)(b) (2)(b) (2)(b) (2)(b) (2)(b) (2)\n  (b) (2)(b) (2)\n(b) (2)\n(b) (2)\n(b) (2)\n\n\n\n\n         NIST has issued a draft version of FIPS Publication 200. which will require federal\nagencies to implement the minimum security configuration standards recommended in NIST\nSpecial Publication 800-53. In light of this, BSG is reevaluating its information security and\nFlSMA efforts to create a Illore systematic approach. The resulting documentation, including\nrisk assessments, syslem security plans. and POA&Ms. should become Illore thorough and\nmeaningful, thus aiding in the certification and accreditation process. OIG supports BBG in its\nefforts to use FISMA requirements more effectively to secure its information systems.\n\n          Recommendation 2: The Chairman, Broadcasting Board of Governors should direct the\n          Chief Information Officer to implement information system security controls in\n          accordance with National Institute of Standards and Technology Special Publication\n          800-53.\n\n\n\n                                                                                                       6\n\x0cImplementing an Automated FISMA Reporting Tool\n\n        BBG currently has no automated tool for reporting progress in meeting FISMA\nrequirements. The CISO manages the agency-wide POA&M process and has distributed\nreporting guidance and organized the updates. The elSa and system managers use electronic\nmail for updating and reporting POA&M progress. However, as more systems now have the\nrequired documentation completed and require updates, this process has become cumbersome to\nkeep track of and has resulted in lapsed milestones.\n\n        The CISO cannot compel system managers to submit updates. BBG officials have\ndiscussed obtaining an automated FISMA reporting tool that would track submissions and\nautomatically send reminders to system managers of impending deadlines, with copies sent to the\nmanagers\' supervisors as well. OIG supports BBG in its efforts to ensure effective management\nof the POA&M process.\n\n       Recommendation 3: The Chairman, Broadcasting Board of Governors should direct the\n       Chief Information Officer to procure and implement an automated tool to facilitate\n       reporting and tracking of progress in implementing Federal Information Security\n       Management Act requirements and Office of Management and Budget reporting\n       guidelines.\n\nDeveloping an Enterprise Architecture\n\n        OIG\'s 2004 FISMA report stated that BBG had not developed an agency-wide IT\nenterprise architecture or capital planning and investment control process. BBG now has a\ncapital planning and investment control process in place but has 110t fully developed an enterprise\narchitecture. Disparate elements that comprise an enterprise architecture have been developed,\nsuch as outlining business processes and network topologies, but they have not been integrated\nsufficiently to satisfy the requirements of the Clinger-Cohen Act.\n\n        Reinforced by FISMA and OMB gllidance, the Clinger-Cohen Act requires that agency\nC10s, at a minimum. devclop an enterprise architeclUre that includes the agency\'s business\nprocesses, information flows, hardware and software, data descriptions, and the IT infrastructure.\nThe enterprise architecture will help ensure thai BBG aligns its information system requirements\nwith its business processes and provides adequate interoperability between systems, desired\nredundancy of systems, and necessary systems security.\n\n       Recommendation 4: The Chairman, Broadcasting Board of Governors should direct the\n       Chief Information Officer to develop an enterprise architecture that will align its\n       information system requirements with its mission processes and provide adequate\n       interoperability between systems, redundancy of systems, and systems security.\n\n\n\n\n                                                                                                  7\n\x0c                                     Recommendations\n\nRecommendation I: The Chairman, Broadcasting Board of Governors should direct the Chief\nTechnology Officer to centralize, at Washington, DC headquarters, the management of computer\nnetworks located at transmitting stations overseas.\n\nRecommendation 2: The Chairman, Broadcasting Board of Governors should direct the Chief\nInformation Officer to implement information system security controls in accordance with\nNational Institute of Standards and Technology Special Publication 800-53.\n\nRecommendation 3: The Chairman, Broadcasting Board of Governors should direct the Chief\nInformation Officer to procure and implement an automated {oollo facilitate reporting and\ntracking of progress in implementing Fedcrallnformation Security Management Act\nrequirements and Office of Management and Budget reporting guidelines.\n\nRecommendation 4: The Chairman, Broadcasting Board of Governors should direcl the Chief\nInformation Officer 10 develop an enterprise architecture that will align ils information system\nrequirements with its mission processes and provide adequate interoperability between systems,\nredundancy of systems, and systems security.\n\n\n\n\n                                                                                                   8\n\x0c                                   Abbreviations\n\nBBG      Broadcasting Board of Governors\n\nCIO      Chid Information Officer\n\nCISO     Chief Information Security Officer\n\nCTO      Chief Technical Officer\n\nFIPS     Federal Information Processing Standards\n\nFISMA    Federal lnformation Security Management Act of 2002\n\nGISRA    Government Information Security Reform Act\n\nlBB      International Broadcasting Bureau\n\nIT       Information technology\n\nMBN      Middle East Broadcasting Networks\n\nNIST     National Institute of Standards and Technology\n\nOCB      Office of Cuba Broadcasting\n\nOMB      Office of Management and Budget\n\nOIG      Office of Inspector General\n\nPOA&M    Plan of action and milestones\n\nRFA      Radio Free Asia\n\nRFE/RL   Radio Free Europe/Radio Liberty\n\nVOA      Voice of America\n\n\n\n\n                                                               9\n\x0c(b) (2)\n\n\n\n\n          10\n\n\x0c                                                                                                  Appendix B\n\n  Comments From the Broadcasting Board of Governors\n\n\n\n         BROA[)CAlo,lING BOARD OF GOVERNORS\n         UNrIEO Sl\'AT\'ES OF AMERICA\n\n\n\n\n                                            September 19, 2005\n\n\n\n\nMs. Mary S. Heard\nActing Assistant lnspcclor General\nU.s Department of Stale\n\nDear Ms. Heard:\n\nThe Broadcasting Board ofGovemon; (BHG) appreciates the opportunity 10 review and\ncommcm on your Memorandum Report IT-1-05-10, Review ofthe In/ormal/on Sec/lruy Program\nal Broadcastl"g Board a/Governors. September 1005.\n\nThe BBG is pleased that the Report finds thai the agency wnlinues to make visible progress on\nseveral fronts in meeting the requirements oflhe Federal lnfonnation Security Management Act\n(FISMA), and that the Board\'s actions last year to reorganize infonnation technology operations\nare a contributing factor to that progress. As discussed in the Report. our Engineering\nmanagement is continuing to refine the operational responsibilities within the new IT\norganimtion to more effcctively achieve security of operations. We gratefully acknowledge the\ncontmuing assistance and contributions of the OIG Information Technology staff in advising the\ncia  and other IT officials on many relevant security mallers over the year.\n\nThe SBG concurs in the four recommendations contained in the Repon. and makes the following\ncomments.\n\nRecommrndation I: The Chairman, Broadcasting Hoard ofGOlernors, should direct the Chief\nTechnology Officer to cell/rali:e, 01 Washing/o\'l, D.C. headquarters. the manageme/ll of\ncompUler \'Ierworks located at Irwlsmilli/lg stations overseas\n\nThe agency concurs with this rc:<:ommendalion. After internal Engineering and CIa review of\ntransmitting station IT operations and FISMA compliance issues during the past year, inclUding\ndata provided by an OIG station inspection, the ChicfTochnology Officer in August 2005\ndirected the Deputies for Engineering Operations and Information Technology to cenlrali7.e\nmanagement of station IT systems under the Information Technology Directorate in Washington,\nD.C, Implementation of this change is anticipated within six months.\n\nRecommendation 2: The Cho/muln, Bro{/{Icasling Boord ofGOI\'emors, should dlreCI/he Chief\nInformation OJ)icer 10 implemem II/fomul/IOII system securily conlrols in occorllQnce ,,"h\nNanonal /lrs/ltufe ofStOlldards and Technology Specwl Publication 800-53.\n\n\n\n\n                                                                                                          II\n\x0c                                                                                    Appendix B (continued)\n\n\n\n                                                  2\n\n1be agency concurs with this recommendation, and notes that the minimum security controls\nenumewed in NIST Special Publication 800-53 will become mandatOf)\' with the formal\npublication ofFeder:allnfonnation Processing Standard 200. which is currently being circulated\nin draft. As the OIG Report points out, the agency has already catcgorized i15 IT systems\npursuant to FIPS 199, which is the flJSl step in the process of imposing Ihe new go\\\'emment\xc2\xad\nWIde mandatory minimum secunty controls.\n\nRttomm~nd.tion 3: The Chalf7fUUI. Broadcastlllg Board ofGo\\\'ul\'lon. Jlrould d\'rrcllM CJflt{\nIff/onnallon OjJiar to pl"OCW\'e and implemenJ an automtJ/ed tool to facilltale reporting and\ntrachJrg ofprogress III Implementing Federal lff/ormotlOll SeouUy Matfllgemenl Aa\nreqw,remenLS and OfJicr ofManagemetft and Budget reponing pulellJle!\n\nThe agency concurs with this recommendation. and is cUlTmtly in the process of acquiring\ntBCking IOl\\ware developed by the Envirorunenla! Protecuon Agency, and being offered to\nagencies represented by the Fodera! Small Agency CIO Council, (Q facilila!e tnlcking and\nreponing of progress in implementing FISMA requirements. EPA has advised ofadelay In the\ntransfer of the softwiR to include some recent software modificatIons., expected early In the\ncomIng fiscal year\n\nRtotommtndatioD 4: T1u! C)winrullf. Broadcastlllg Board ofGO\\ormon shOllld dinellhe Chl~\nInformation OfJi\xc2\xabr to tk\\odop an enterprISe archilecture that -...\'ill align lIS Iff/ormollon S)\'Stem\nnquirements ....,lh ilS mmion prot:es.!es and prY1Vlde adeqwa,e Ilfteroperobillty benI-een S)\'s,ems.\nndundancy ofS)\'Stems. and SYS\'em.l\' securil)\'_\n\n!be agency concurs with this recommendation. Some initial steps have been taken to within the\nagency\'s budget planning process to align IT initiatives wltb agency mission. In accordance WIth\ntbe principles of IT enterprise architccture. A staff member working under the CIO and assigned\nto the enterprise architecture development task retired before making notable progress, and his\nreplacement has been delayed due to an agency wide biring freeze. The agency has recently\napproved an exception to the hiring freeze for tbis purpose, and planning efforts will resume\nshortly after the hiring process is complete.\n\nWe will of coune keep your IT staff informed of further progress in accomplishing the\nrecommendations as they occur.\n\n\n\n\n                                           cr;\'\n\n                                               Kenneth Y. Tomlinson\n                                               Chairman\n\n\n\n\n                                                                                                        12\n\x0cFRAUD. WASTE, ABUSE OR MISMANAGEMENT\n              of Federal programs\n         and resources hurts everyone.\n\n       Call the Office of Inspector General\n                    HOTLINE\n\n                   202/647-3320\n\n                or 1-800-409-9926\n\n         or e-mail oighotline@state.gov\n\n      to report illegal or wasteful activities.\n\n              You may also wtite to\n\n            Office of Inspector General\n\n             U.S. Department of State\n\n               Post Office Box 9778\n\n               Arlington, VA 22219\n\n      Please visit our website at oig.state.gov\n\n         Cables to the Inspector General\n        should be slugged "OIG Channel"\n            to ensure confidentiality.\n\x0c'